OPENLDAP

----------2015-05-03 更新内容----------

[成功安装实例]

  内容摘自:http://laoguang.blog.51cto.com/6013350/1636273

环境说明:

Centos6.5 mini , iptables, selinux关闭

jumpserver: 192.168.20.130

测试机testserver: 192.168.20.131

 

. 部署ldapserver

1.1 安装ldapserver

rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm 
yum install -y vim automake autoconf gcc xz ncurses-devel patch python-devel git python-pip gcc-c++  # 安装基本环境,后面依赖
yum install -y openldap openldap-servers openldap-clients openldap-devel

1.2 准备配置文件

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf    ## 该文件是slapd的配置文件 
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG        ## 数据库的配置文件

1.3 修改配置文件# vim /etc/openldap/slapd.conf

  ... 
  loglevel        1
  ...
  suffix          "dc=jumpserver,dc=org"
  rootdn          "cn=admin,dc=jumpserver,dc=org"
  rootpw          secret234

注:第107行对应内容也需修改成"cn=admin,dc=jumpserver,dc=org"

#说明:

  • loglevel:设置日志级别  
  • suffix:其实就是BaseDN  
  • rootdn: 超级管理员的dn  
  • rootpw: 超级管理员的密码  

1.4 修改系统日志配置文件

# vim /etc/rsyslog.conf
# local7.*下添加下面这行  
local4.*          /var/log/ldap.log

然后日志服务

service rsyslog restart

1.5 启动slapd, 查看启动情况

chkconfig slapd on
service slapd start
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d 
chown -R ldap:ldap /etc/openldap/slapd.d/
service slapd restart
netstat -tulnp | grep slapd

#说明:第一次启动生会初始化ldap数据库,在/var/lib/ldap中,如果想删除ldap数据库就删除该目录,保留DB_CONFIG配置文件。新版的ldap使用的是/etc/openldap/slapd.d 下的配置文件,删除原来的配置文件,slaptest是重新生成新的配置文件

1.6 导入ldif数据库框架和测试用户,可以使用migrationtools导出框架,也可以用我导出好的. 

base.ldif,group.ldif,passwd.ldif 将其中的dc=jumpserver,dc=org替换成你的baseDN,然后导入,密码是rootpw设置的 secret234  这些文件百度云中下载  http://pan.baidu.com/s/1i3kne6p

ldapadd -x -W -D "cn=admin,dc=jumpserver,dc=org" -f base.ldif
ldapadd -x -W -D "cn=admin,dc=jumpserver,dc=org" -f group.ldif
ldapadd -x -W -D "cn=admin,dc=jumpserver,dc=org" -f passwd.ldif

#说明:测试用户是testuser 密码是testuser123

 

. testserver部署ldapclient

--- CentOS6设置 ---

2.1 安装LDAP客户端

yum -y install openldap openldap-clients nss-pam-ldapd pam_ldap

2.2 设置自动创建目录

echo "session required pam_mkhomedir.so skel=/etc/skel umask=0077" >> /etc/pam.d/system-auth

2.3 备份原来authconfig,然后设置使用LDAP认证

authconfig --savebackup=auth.bak
authconfig --enableldap --enableldapauth --enablemkhomedir --enableforcelegacy --disablesssd --disablesssdauth --ldapserver=192.168.20.130 --ldapbasedn="dc=jumpserver,dc=org" --update

--- CentOS5设置 ---

2.1 安装LDAP客户端

yum -y install openldap openldap-clients nss_ldap

2.2 设置自动创建目录

echo "session required pam_mkhomedir.so skel=/etc/skel umask=0077" >> /etc/pam.d/system-auth

2.3 设置使用LDAP认证

authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=192.168.20.130 --ldapbasedn="dc=jumpserver,dc=org" --update

2.4 从jumpserver连接testuser测试

ssh testuser@192.168.20.131  # 密码是testuser123

生产中部署注意建立灾备账户这里就不再说明

-------------------EOF-------------------

 

----------2015-04-23 更新内容----------

入门教程

  • https://sites.google.com/site/openldaptutorial/Home/

-------------------EOF-------------------

  

参考:

https://pythonhosted.org/django-auth-ldap/_static/versions/1.0.19/index.html

http://www.cnblogs.com/dkblog/archive/2011/11/03/2234490.html

http://www.cnblogs.com/itech/archive/2011/02/11/1951576.html

http://www.cnblogs.com/sheldonxu/archive/2012/05/08/2490054.html

http://codex.wiki/question/1755440-9916/

http://www.vpsee.com/2012/11/use-python-ldap-to-create-read-delete-upgrade-ldap-entries/

 http://blog.csdn.net/daimachonggou/article/details/12978277

http://czmmiao.iteye.com/blog/1561597

http://blog.csdn.net/daimachonggou/article/details/17437167

http://www.kaiyuanba.cn/content/manage/ringkee/module.htm

  • [官方网站]http://www.openldap.org
  • http://kinggoo.com/openldapinstallconf.htm
  • [简明释义LDAP]http://darklipeng.iteye.com/blog/583615
  • [配置差异]http://seanlook.com/2015/01/21/openldap-install-guide-ssl/
  • http://www.beyond362.com/2014/12/30/openldap/
  • http://www.linuxidc.com/Linux/2011-01/31577.htm
  • [适用CentOS7的安装]http://weli.iteye.com/blog/2076993
  • [CentOS6.4安装]http://my.oschina.net/5lei/blog/193484
  • [安装]http://www.ttlsa.com/nosql/install-openldap-on-linux/
  • [安装示例]http://www.linuxidc.com/Linux/2012-04/57932.htm
  • [安装部署]http://tonyguo.blog.51cto.com/379574/182432/
  • [Ubuntu安装部署]http://www.gtwang.org/2012/01/ubuntu-ldap-server.html
  • [使用]http://www.ibm.com/developerworks/cn/linux/l-openldap/
  • http://www.cnblogs.com/ccdc/category/482234.html
  • http://my.oschina.net/HankCN/blog/145617
  • [备份恢复]http://tonychee1989.diandian.com/
  • [管理工具]http://www.ldapadministrator.com/

【安装】

  参考官方教程:http://www.openldap.org/doc/admin24/quickstart.html

gunzip -c openldap-VERSION.tgz | tar xvfB -   #或者:tar -xzvf openldap-VERSION.tgz
cd openldap-VERSION
./configure
make depend
make
make test
make install

 【配置】

/usr/local/etc/openldap

  •  pip install python-ldap时出现“error: command 'gcc' failed with exit status 1” 的解决办法:
yum install -y openldap-devel
  • 使用示例

#! /usr/bin/env python

import ldap
import sys

ldappath = "ldap://192.168.0.100:389"
username = "testuser@ldapserver.org"
password = "testuser123"
baseDN = "dc=ldapserver,dc=org"

searchScope = ldap.SCOPE_SUBTREE
#searchFilter = "(&(objectClass=person)(sAMAccountName=*))"
#retrieveAttributes = ['sAMAccountName', 'givenName', 'sn', 'mail']
searchFilter = "(uid=*)"
retrieveAttributes = None

try:
conn = ldap.initialize(ldappath)
conn.protocol_version = ldap.VERSION3
conn.simple_bind(username, password)
except ldap.LDAPError,e:
print 'error:',e
sys.exit(1)
else:
print 'bind success'

results = conn.search_s(baseDN, searchScope, searchFilter, retrieveAttributes)
for dn, entry in results:
if dn:
print dn,'\n',entry
print
else:
print "total:",len(results)
conn.unbind()

del conn

posted @ 2015-03-25 12:14  flowjacky  阅读(556)  评论(0编辑  收藏  举报